Out-of-bounds Write to API in vim/vim
Description
A heap out-of-bounds write in Vim's diff mode can be triggered by a crafted sequence of diff put and undo commands, leading to a crash or arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap out-of-bounds write in Vim's diff mode can be triggered by a crafted sequence of diff put and undo commands, leading to a crash or arbitrary code execution.
Vulnerability
An out-of-bounds write vulnerability exists in Vim's diff_mark_adjust_tp() function, which is triggered during diff mode operations when using the dp (diff put) command followed by an undo. The code in diff.c failed to validate that the line offset (off) subtracted from dp->df_lnum[i] would not cause the result to become zero or negative, leading to a write past the allocated buffer. The flaw affects Vim versions prior to 9.0.0100 [1][2].
Exploitation
An attacker must first convince the victim to open a file with diff mode enabled (e.g., by using vim -d or running :set diff). The attacker then needs to craft a sequence of commands in the editor: a diff put (dp) followed by an undo (u) operation. The patch comment notes a "FIXME: somehow this causes a valgrind error when run directly but not when run as a test" indicating the race-like conditions may require a specific file content to trigger the invalid memory access reliably [1]. No special authentication or network position is required beyond delivering the crafted file or command sequence.
Impact
Successful exploitation results in an out-of-bounds write to heap memory. In the worst case, this could allow an attacker to crash Vim or achieve arbitrary code execution in the context of the victim's session. The CVSS score (not provided explicitly) typically ranges 7.8-9.8 for such vulnerabilities; the Huntr bounty listing implies it was considered a high-severity issue [2].
Mitigation
The vulnerability is fixed in Vim 9.0.0100, released on 2022-08-01. The patch adds bounds checking to diff_mark_adjust_tp() by comparing the line number with off before subtracting and setting df_lnum[i] to at least 1 [1]. Users should upgrade to Vim 9.0.0100 or later (9.0.0101 includes additional refinements). No workaround is available; disabling diff mode may reduce exposure but is not a complete fix. The CVE is not listed on CISA KEV.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
39- osv-coords37 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweedpkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 9.0.0313-150000.5.25.1+ 36 more
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0453-2.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on line number subtraction in diff mode allows the line number to underflow below one, causing an out-of-bounds write."
Attack vector
An attacker can trigger an out-of-bounds write by exploiting an invalid memory access that occurs when using diff mode with the "dp" (diff put) command combined with undo operations. The bug manifests when the line number in a diff block drops below one due to an unchecked subtraction, leading to an out-of-bounds write on the API (application programming interface) data structures [ref_id=1]. The test case shows the sequence: entering diff mode, using undo, and then executing "dp" commands to reproduce the crash [ref_id=1].
Affected code
The vulnerability is in the `diff_mark_adjust_tp` function and the `ex_diffgetput` function in Vim's diff mode logic. The patch modifies `diff_mark_adjust_tp` to guard against underflow when subtracting `off` from `dp->df_lnum[i]`, and changes `ex_diffgetput` to check the return value of `ml_delete()` before decrementing the `added` counter [ref_id=1].
What the fix does
The patch adds a bounds check in `diff_mark_adjust_tp` so that `dp->df_lnum[i]` is only decremented by `off` when it is greater than `off`; otherwise it is set to 1, preventing underflow below the valid line number range [ref_id=1]. In `ex_diffgetput`, the patch changes the code to check that `ml_delete()` returns `OK` before decrementing the `added` counter, ensuring the counter stays consistent with the actual buffer state [ref_id=1]. A new test `Test_diff_put_and_undo` was added to cover this scenario [ref_id=1].
Preconditions
- configVim must be in diff mode (set diff)
- inputThe attacker must be able to execute the 'dp' (diff put) command and undo operations
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.